Cannot get past "Found a user-provided certificate, but couldn't install it" error

Plex Media Server Desktops & Laptops
1

Despite being a software engineer and very familiar with how all of this works, I am having an incredibly hard time getting a custom certificate to work within Plex Media Server, always failing with the vague “Found a user-provided certificate, but couldn’t install it.” error message.

I have tried the proposed solutions in every other matching thread on this topic, but still cannot get past it.

Setup:

  • custom domain pointed to my IP
  • Router setup to forward port 80,443, and 32400 to the server
  • Server is running macOS High Sierra
  • Certificate is generated with lets encrypt, using official methods
  • Open ssl exported pkcs12 format, using:
openssl pkcs12 -export -out "certificate.pfx" \
  -passout pass:[PASSWORD/REDACTED] \
      -in /etc/letsencrypt/live/[DOMAIN/REDACTED]/cert.pem \
      -inkey /etc/letsencrypt/live/[DOMAIN/REDACTED]/privkey.pem \
      -name plexmediaserver \
      -CAfile /etc/letsencrypt/live/[DOMAIN/REDACTED]/chain.pem -caname root

I moved the certificate.pfx file to a folder which has full read permissions, and I gave the certificate itself read and execute permissions for all users.

I have the entires in Plex Media Server set as:

Custom certificate location:  /Users/[REDACTED]/Library/Mobile Documents/com~apple~CloudDocs/Projects/Plex-LetsEncrypt/certificate.pfx
Custom certificate encryption key: [PASSWORD/REDACTED]
Custom certificate domain: [DOMAIN/REDACTED]

I have tried just about every permutation I can think of of possible values on these setup items, but cannot for the life of me get Plex Media Server to dish out my certificate. For what it’s worth, the secure setup works using the Plex self-signed certificate, but it requires manually trusting it in every browser used to access the server, something I am trying desperately to avoid. Help!

Plex Pass: Lifetime
Server Version# 1.18.1.1973:
Player Version# N/A:

mini:Plex-LetsEncrypt Coneybeare$ tail -f ~/Library/Logs/Plex\ Media\ Server/Plex\ Media\ Server.log | grep -i CERT
Oct 26, 2019 15:24:57.178 [0x70000479e000] DEBUG - Request: [127.0.0.1:60511 (Loopback)] PUT /:/prefs?customCertificateKey=[REDACTED] (12 live) GZIP Signed-in Token ({REDACTED])
Oct 26, 2019 15:24:57.184 [0x70000479e000] DEBUG - CERT: Certificate will not expire soon.
Oct 26, 2019 15:24:57.186 [0x700004cbc000] DEBUG - Completed: [127.0.0.1:60511] 200 PUT /:/prefs?customCertificateKey=[REDACTED] (12 live) GZIP 8ms 274 bytes (pipelined: 4)
Oct 26, 2019 15:24:57.188 [0x700004c39000] DEBUG - CERT: Installed certificate with fingerprint 2c:41:80:8f:c6:8c:7e:f2:9e:d6:58:d7:f0:29:0c:c2:cb:b1:4e:8c.
Oct 26, 2019 15:24:57.189 [0x700004c39000] DEBUG - CERT: Installed new private key.
Oct 26, 2019 15:24:57.189 [0x700004c39000] DEBUG - CERT: Subject name is /C=US/ST=California/L=Los Gatos/O=Plex, Inc./CN=*.99a62d53b6e04af7ac63fe19bf0ed605.plex.direct
Oct 26, 2019 15:24:57.189 [0x700004c39000] DEBUG - CERT: OCSP requests for stapling will be made to 'http://ocspx.digicert.com/'.
Oct 26, 2019 15:24:57.189 [0x700004c39000] DEBUG - CERT: Installed intermediate certificate.
Oct 26, 2019 15:24:57.190 [0x700004c39000] ERROR - CERT: Found a user-provided certificate, but couldn't install it.
2

Maybe try -password instead of -passout in your openssl command.
or just run the command without that switch and enter the password at the prompt.

also why are you specifying -caname root?

You can follow this for a basic Plex Letsencrypt SSL cert setup.

I use letsencrypt and have that cert appliex to plex but I am also using nginx as a reverse proxy so that might be a bit different.

3

I actually tried your setup first. Same issue. This latest iteration came from another similar script setup found through the links on similar threads here.

4

I tried your method again, using certificate2 as the filename, same issue.

mini:Plex-LetsEncrypt [REDACTED]$ tail -f ~/Library/Logs/Plex\ Media\ Server/Plex\ Media\ Server.log | grep -i CERT
Oct 26, 2019 16:28:50.790 [0x70000479e000] DEBUG - Request: [127.0.0.1:60627 (Loopback)] PUT /:/prefs?customCertificatePath=%20%2FUsers%[REDACTED]%2FLibrary%2FMobile%20Documents%2Fcom~apple~CloudDocs%2FProjects%2FPlex-LetsEncrypt%2Fcertificate2.pfx&customCertificateKey=[REDACTED] (9 live) GZIP Signed-in Token ([REDACTED])
Oct 26, 2019 16:28:50.797 [0x70000479e000] DEBUG - CERT: Certificate will not expire soon.
Oct 26, 2019 16:28:50.802 [0x70000479e000] DEBUG - CERT: Certificate will not expire soon.
Oct 26, 2019 16:28:50.803 [0x700004cbc000] DEBUG - CERT: Installed certificate with fingerprint 2c:41:80:8f:c6:8c:7e:f2:9e:d6:58:d7:f0:29:0c:c2:cb:b1:4e:8c.
Oct 26, 2019 16:28:50.803 [0x700004cbc000] DEBUG - CERT: Installed new private key.
Oct 26, 2019 16:28:50.803 [0x700004c39000] DEBUG - Completed: [127.0.0.1:60627] 200 PUT /:/prefs?customCertificatePath=%20%2FUsers%[REDACTED]%2FLibrary%2FMobile%20Documents%2Fcom~apple~CloudDocs%2FProjects%2FPlex-LetsEncrypt%2Fcertificate2.pfx&customCertificateKey=[REDACTED] (9 live) GZIP 13ms 274 bytes (pipelined: 4)
Oct 26, 2019 16:28:50.803 [0x700004cbc000] DEBUG - CERT: Subject name is /C=US/ST=California/L=Los Gatos/O=Plex, Inc./CN=*.99a62d53b6e04af7ac63fe19bf0ed605.plex.direct
Oct 26, 2019 16:28:50.803 [0x700004cbc000] DEBUG - CERT: OCSP requests for stapling will be made to 'http://ocspx.digicert.com/'.
Oct 26, 2019 16:28:50.804 [0x700004cbc000] DEBUG - CERT: Installed intermediate certificate.
Oct 26, 2019 16:28:50.804 [0x700004cbc000] ERROR - CERT: Found a user-provided certificate, but couldn't install it.
Oct 26, 2019 16:28:50.810 [0x700004cbc000] DEBUG - CERT: Installed certificate with fingerprint 2c:41:80:8f:c6:8c:7e:f2:9e:d6:58:d7:f0:29:0c:c2:cb:b1:4e:8c.
Oct 26, 2019 16:28:50.810 [0x700004cbc000] DEBUG - CERT: Installed new private key.
Oct 26, 2019 16:28:50.810 [0x700004cbc000] DEBUG - CERT: Subject name is /C=US/ST=California/L=Los Gatos/O=Plex, Inc./CN=*.99a62d53b6e04af7ac63fe19bf0ed605.plex.direct
Oct 26, 2019 16:28:50.810 [0x700004cbc000] DEBUG - CERT: OCSP requests for stapling will be made to 'http://ocspx.digicert.com/'.
Oct 26, 2019 16:28:50.811 [0x700004cbc000] DEBUG - CERT: Installed intermediate certificate.
Oct 26, 2019 16:28:50.811 [0x700004cbc000] ERROR - CERT: Found a user-provided certificate, but couldn't install it.
5

The only way I can get that error you see is if I put in an incorrect password in the “Custom certificate encryption key” field.

image
image.png1103×61 9.07 KB

6

There are numerous ways to get this error. Password is correct. I don’t have any parse error logs present like in your screenshot.

7

Do you know where I can locate what certs plex has copied over/installed?

8

I thought I could get this working without having to setup an apache virtual host, but alas, could not. I ended up getting it to work by configuring my router to forward 443 to apache, a secure 443 virtual host to use the certificate and point to internal 32400 port for Plex, and also configuring PMS to use the pfx file.

9

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.